1. characts of useful info
    relevant, reliable, complete, timely, understandable, verifiable, accessible
  2. transaction
    agreement bet 2 entities to exchange goods or services or aby other event that can be measured in economic terms by org
  3. transaction processing
    capturing transaction data, processing it, storing it for later use, and producing info output like fin statement/report
  4. 5 business processes or transaction cycles
    • revenue cycle
    • expenditure cycle
    • production/conversion cycle : raw materials are transformed to finished goods
    • HR/payroll cycle: employees are hired, trained, compensated, promoted, terminated
    • financing cycle: comps sell shares to investors and borrow money, investors are paid divs, and interest on loans is paid
  5. AIS
    • collects, records, stores, and processes data to produce info for decision makers
    • 6 components:
    •  -people: use the system
    •  -procedures and instructions: used to collect, process, and store data
    •  -data: about org and its bus activities
    •  -software: processes data
    •  -IT infrastructure: computers, peripheral devices, and network communication devices used in AIS
    •  -internal controls and security measures: safeguard the AIS

    • the 6 components fulfill 3 bus functs 
    • 1. collect and store data about organizational activities, resources, and personnel
    • 2. transform data into info so mgmt can plan, execute, conotrol, and eval activities, resources, and personnel
    • 3. provide adequate controls to safeguard org's assets and data
  6. how can AIS add val to org
    • 1. improves quality and reduces costs of products/services
    • 2. improves efficiency
    • 3. sharing knowledge - employees can search database to identify experts to provide assistance
    • 4. improves efficiency and effectiveness of supply chain (firm, suppliers, and customers)
    • 5.improves internal control structure
    • 6. improves decision making
  7. source doc
    used to capture transaction data at source, when transaction takes palce (ex. sales order, purch order, employee time cards, remittance list, credit memo, delivery ticker, deposit slip, receiving report, w-4 form, purch requisition)
  8. turnaround doc
    records of comp sent to external party and then returned to system as input; in machine-readable form to facilitate their subsequent processing as input records (ex utility bill)
  9. source data automation
    collection of transaction data in machine-readable form at time and place of origin (ex. ATMs or point of sale terminals)
  10. audit trail
    path that allows transaction to be traced through data processing system from point of origin to output or backwards; used to check accuracy and validity of ledger accts from beg bal to end bal
  11. entity
    something about which info is stored in record; ex employee, inventory item, customer
  12. attributes
    properties, identifying numbers, and characts of interest of an entity that's stored in database (ex. employee ID, payrate, name, address)
  13. record
    set of fields whose data vals describe specific attributes of entity such as all payroll data on single employee (EVERY ROW IS A RECORD)
  14. file
    set of logically related records (ex. payroll records of all employees) (a spreadsheet)
  15. master file
    permanent file of records that stores cumulative data about org; as transactions take place, individual records within master file are updated to keep them current
  16. transaction file
    contains individual bus transactions that occur during specific fiscal period; conceptually similar to journal in a manual AIS
  17. database
    set of interrelated, centrally controlled data files stored w as little data redundancy as possible; consolidates records previously stored in separate files into common pool and serves variety of users and data processing apps
  18. data processing activities
    • CRUD
    • creating
    • reading
    • updating
    •     - batch processing: accumulating transaction records into groups/batches for processing at reg interval like daily/weekly; records are usually sorted into some sequence (numerically/alphabetically) before processing; only used for apps like payroll that don't need constant updating and naturally occur at fixed time pds
    •        - online, relatime processing: data is processed immediately after capture and system provides updated info to users on timely basis
    •        - online batch processing: combo of other 2; transaction data is entered and edited as they occur, but stored for later processing

  19. output
    docs, reports, queries
  20. ERP system
    integrates all aspects of org's activities; facilitates info flow among comp's various functs and manages communications w outside stakeholders
  21. database mgmt system DBMS
    program that manages and controls data and the interfaces bet data and app programs that use data in database
  22. database system
    databse, DBMS, and app programs that access database through DBMS
  23. database admin
    person responsible for coordinating, controlling, and managing database
  24. record layout
    doc that shows items stored in file, including order and lengths of data fields and type of data stored
  25. logical view
    how ppl conceptually organize, view, and understand relationships among data items (ex. table, pie chart)
  26. physical view
    way data are physically arranged and stored in computer system
  27. schema
    • description of data elements in database, relationships among them, and logical model used to organize and describe the data
    •   - conceptual-lvl: organization-wide view of entire databse and lists all data elements and relationships bet them
    •    - external lvl schema: indiv user's vview of portions of database; also called subschema
    •    - internal lvl schema: low-lvl view of entire databse describing how data are actually stored and accessed (ex. records layouts, indexes, definitons)
  28. data dictionary
    info about structure of database, including description of each data element; DBMS maintain it
  29. data definition lang (DDL)
    DBMS lang that builds data dictionary, creates database, describes logical views, and specifies record/field security constraints; should be restricted to authorized admins and programmers
  30. data manipulation lang (DML)
    changes database content, including data element creations, updates, insertions, and deletions; should be restricted to authorized admins and programmers
  31. data query lang (DQL)
    HIGH-lvl english-like lang that contains powerful, easy to use commands that enable users to retrieve, sort, order, and display data; available to users
  32. report writer
    simplifies report creation; available to users
  33. relational data model
    2D table representation of data; each row represents unique entity (record) and each column is field where attributes are stored

    tuple is a row

    relational database is solution for storage probs (anomalies)
  34. primary key
    database attribute, or combo of attributes, that uniquely identifies each row in table; usually single attribute (ex. Sales Invoice #, Item #)
  35. foreign key
    attribute in table that is also primary key in other table and is used to link both tables
  36. probs of storing data in one uniform table (anomalies)
    • update anomaly: non-primary key item is stored multiple times; updating item in 1 location and not others causes data inconsistencies
    • insert anomaly: results in inability to add records to database (ex. not being able to enter add customer info on someone who hasn't made purch yet because you can't leave sales invoice # column blank)
    • delete anomaly: results in loss of all info about entity when row is deleted
  37. 4 relational database reqs
    • 1. every column in row must be single valued
    • 2. primary keys can't be blank - entity integrity rule; non-null primary keys ensure every row in table reps something and that it can be identified
    • 3. foreign keys, if not blank, must have vals corresponding to primary key in another table
    • 4. all nonkey attributes must describe charact of object identified by primary key
  38. database design process (5 steps)
    • systems analysis
    • conceptual design
    • physical design
    • implementation and conversion
    • op and maintenance
  39. data modeling
    defining database so tit faithfully represents all key components of org's environ; objective is to explicitly capture and store data about every bus. activity org wishes to plan, control, or evaluate

    • 2 tools used to perform it-
    • entity-relationship diagram: graphical depiction of database's content showing various entities being modeled and important relationships among them
    • REA data model: contains info about 3 types of entities - resources, events, agents; usually are depicted in form of ER diagram
  40. resources
    those things that have economic val to org like cash, inventory, supplies, factories, land
  41. events
    bus activities about which mgmt wants to collect info for planning and control purposes (ex. sale/purch of inventory)
  42. agents
    ppl and orgs who participate in events and about whom info is desired
  43. REA template
    • 1. each event's linked to at least 1 resource that affects it
    • 2. each event's linked to at least another event
    • 3. each event's linked to at least 2 participating agents
  44. developing REA diagram
    • 1. identify events about which mgmt wants to collect info
    • 2. identify resources affected by each event and participating agents
    • 3. determine cardinalities of each relationship
  45. cardinalities
    describe nature of database relationship indicating number of occurrences of  entity that may be associated w single occurrence of other entity; 3 types: 1 to 1, 1 to many, many to many
  46. minimum cardinality
    min number of instances entity can be linked to other entity in relationship; can only be 0 or 1; closer to the center of the model
  47. maximum cardinality
    max number of instances entity can be linked to other entity in the relationship; can be 1 or many; closer to the boxes
  48. 3 types of relationships
    • 1:1 - when max cardinality of both entities is 1
    • 1:N or N:1 - when max cardinality of one entity is 1, and many for the other
    • M:N - when both max cardinalities are many
  49. 4 types of AIS threats
    • Natural and political disasters
    • software errors and equip malfuncts
    • unintentional acts
    • intentional acts (computer crime)
  50. fraud and its 5 reqs
    any and all means person uses to gain unfair advantage over another

    • for act to be fraudulent:
    • 1. false statement, representation, or disclosure
    • 2. material fact (something that induces person to act)
    • 3. intent to deceive
    • 4. justifiable reliance (person relied on misrepresentation to take action)
    • 5. injury or loss suffered by victim
  51. white collar criminals
    typically businesspeople who commit fraud; resort to trickery or cunning, and crimes usually involve violation of trust/confidence
  52. misappropriation of assets
    theft of comp assets by employees; most significant contributing factor is lack of internal controls and/or failure to enforce existing internal control
  53. SAS 99 and auditor's responsibility to detect fraud
    • understand fraud
    • discuss risk of material fraudulent misstatements
    • obtain info
    • identify, assess, and respond to risks
    • evaluate results of audit tests
    • document and communicate findings to mgmt and audit committee
    • incorporate tech focus
  54. fraud triangle
    • 3 conditions are present when fraud occurs
    • pressure: (employee: lifestyle, financial, emotional; organizational (financial, industry condition, mgmt characts)
    • opportunity: commit the fraud, conceal it (lapping - concealing theft of cash by means of series of delays in posting collections to A/R; check kiting - creating cash using lag time bet time check's deposited and time it clears bank), convert theft to personal gain
    • rationalization: allows perpetrators to justify their illegal behavior (attitude - rules don't apply to me, lack of personal integrity - getting what I want is more important, justification - took what I was owed)
  55. computer fraud
    any type of fraud that reqs computer tech to perpetrate (ex. unauthorized use, theft, access, modification, copying, or destruction of software, hardware, or data)

    • types -
    • input fraud: most common way to commit computer fraud is to alter/falsify computer input; little skill reqd;
    • processor fraud: unauthorized system use and theft of computer time and services (ex. use of comp computers to run gambling website)
    • computer instructions fraud: tampering w comp software, copying software illegally, using software in unauthorized manner, and developing software to carry out unauthorized activity
    • data fraud: using, copying, browsing, searching, or harming comp data; biggest cause is employee negligence (ex. selling comp info to friends)
    • output fraud: stealing, copying, misusing displayed/printed output
  56. ways to make fraud less likely to occur
    • organizational culture stresses integrity and commitment to ethics
    • set of anti-fraud policies
    • employee support programs
    • comp code of conduct
    • req oversigt from active, involvled, and indep audit committee, adopt organizational structure that makes fraud less likely to occur
    • supervise employees
    • increase penalty for committing fraud
    • HR policies for hiring, compensation, promoting, evaluating, and discharging employees
  57. ways to increase difficulty of committing fraud
    • proper segregation of duties
    • strong system of internal controls
    • safeguard all assets, records, and data
    • require transactions and activities be authorized by appropriate supervisor
    • fix software vulnerabilities
    • restrict physical and remote access to system resources
    • encrypt stored and transmitted data
  58. improve fraud detection methods
    • create audit trail
    • conduct periodic external and internal audits as well as special network security audits
    • motivate employees to report fraud
    • fraud detection software
    • fraud hotline
    • employee forensic specialists, computer security officer, etc
    • monitor system activities
  59. reduce fraud losses
    • insurance
    • store backup copies of program and data files in off-site location
    • comprehensive fraud contingency, disaster recover, and bus continuity plan
    • use software to monitor system activity and recover from fraud
  60. internal controls
    processes and procedures implemented to provide reasonable assurance that cotrol objs are met

    • 3 important funct
    • preventive controls: deter probs before they arise (ex. segregation of duties, control physical access to assets and info)
    • detective controls: discover probs that weren't prevented (ex. bank reconciliations, duplicate checking of calculations)
    • corrective control: identify and correct probs as well as correct and recover from resulting error (ex. file backup copies, correcting data entry errors, resubmitting transactions for subsequent processing)

    • separated into 2 categories
    • general controls: make sure org's IS and control environ is stable and well managed (ex. security, IT infrastructure, software acquisition, maintenance, and development controls)
    • application controls: prevent, detect, and correct transaction errors and fraud in app programs; concerned w accuracy, completeness, validity, and authorization of data captured, entered, processed, stored, and transmitted
  61. FCPA
    passed to prevent comps from bribing foreign officials to obtain business; reqs all publicly owned corps to maintain system of internal acc controls
  62. SOX
    intended to prevent fin statement fraud, make fin reports more transparent, provide protection for investors, strengthen internal controls at public comps, and punish execs who perpetrate fraud; created PCAOB
  63. PCAOB
    created by SOX to regulate auditing profession; consists of 5 ppl appointed by SEC
  64. COBIT
    security and control mgmt to benchmark security and control practices of IT environs; updated to COBIT 5 and describes best practices for effective governance and mgmt of IT
  65. COSO's ERM
    improves risk mgmt process by expanding COSO's IC-integrated; process BOD and mgmt use to set strategy, identify events that may affect entity, assess and manage risk, and provide reasonable assurance comp achieves objs and goals

    • 8 risk and control components
    • internal environ: consists of mgmt philosophies, commitment to integrity, BOD internal control oversight, organizational structure, methods of assigning authority and responsibility, HR stds, and external influences
    • obj setting
    • risk assessment
    • risk response: 4 ways - reduce (implement effective internal controls), accept (accept likelihood and impact of risk), share (outsource specific activity, buy insurance), avoid (discontinue business activity, product line, sell division)
    • control activities
    • info and communication
    • monitoring
    • each of these applies to each of 4 objs - strategic, operations, reporting, compliance and /or 1 of orgs's subunits (subsidiary, entity-lvl, division, business unit)
  66. control activities
    policies, procedures, and rules that provide reasonable assurance that control objs are met and risk responses are carried out

    • -authorization: establishing policies for employees to follow and empowering them to perform certain organizational functs ( specific authorization: special approval employee needs to be able to handle transaction ex. mgmt approval for sales of 50K; gen authorization: authorization given to employees to handle routine transactions w/o special approval)
    • -segreation of authorization (authorizing transactions/decisions), recording (prepig source docs, maintaining journal, files, databases, preping reconciliations, preping reports), and custody duties (handling cash/inventories, tools, fixed assets, writing checks, receiving checks in mail)
  67. indep checks on performance
    • done by someone other than person performing original operation
    • top lvl revs
    • analytical revs: relationship bet diff sets of data (ex relation bet sales and COGS, inventory, etc)
    • reconciliation of independently maintained records
    • comparison of actual quanitities w recorded amnts
    • double entry acc: tracing debits w corresponding credits
    • independent rev: second person reviews work after transaction is processed to check for authorization, accuracy of prices, quantities, etc
  68. Trust Services Framework
    • security - controlled and restricted access to system and data
    • confidentiality - sensitive organizational info's (trade secrets, mktg plans) protected from unauthorized disclosure
    • privacy
    • processing integrity
    • availability
  69. defense in depth
    employing multiple layers of controls to avoid single point of failure; combo of preventive (ex. physical security access controls, change controls and change mgmt, IT solutions like anti malware), detective (log analysis, penetration testing, continuous monitoring, intrusion detection system), and corrective controls (ComputerIncidentResponseTeam, CISO, patch mgmt)
  70. user access controls (preventive)
    • - authentication controls: verifying identity of person or device attempting to access system; 3 types of credentials - something they know (password, PIN), something they have (ID badge, smart card), personal charact (fingerprint, voice recognition); multifactor authentication: use of 2 or more types of authentication credentials to achieve greater security; multimodal authentication: use of multiple credentials of the same type (ex. fingerprint scanner and voice recognition)
    • -authorization controls: restricting access to authenticated users to specific portions of system and limited actions they can perform; access control matrix identifies the actions every employee can perform and compatibility test matches user's authentication credentials to the access control matrix
  71. physical security access controls (preventive)
    begin w entry pts to bldg; should only have 1 entrance unlocked during regular hrs; emergency exits should be connected to alarm system and only opened from inside; no exposed cables/wiring to prevent wiretapping; restricted access to rooms with computer equipment; restricted access to printers; remote access control systems
  72. preserving confidentiality
    (4 steps)
    • 1. identify and classify info to be protected
    • 2. encrypt info
    •   - encryption is only way to protect info in transit over internet; necessary part of defense in depth to protect info stored on website/public cloud
    • 3. control access to info
    • 4. train employees to properly handle info
  73. protecting privacy
    • 1. identify info to be protected
    • 2. encrypt info
    •     - info needs to be encrypted while both in transit over internet and in storage
    • 3. access contorols
    •     -strong authentication and authorization controls; orgs should run data masking programs that replace personal info w fake vals before sending the data to program developing and testing system; also called tokenization
    • 4. training
  74. identity theft
    privacy concern; assuming someone's identity usually for economic gain; medical id theft can have life threatening consequences because of errors to medical records
  75. encryption
    process of transforming normal txt (plaintext) to unreadable gibberish (ciphertext); preventive control to protect both confidentiality and privacy; provides last barrier that must be overcome by intruder who has obtained unauthorized access to stored info

    • 2 types
    • - symmetric encryption: use same key both to encrypt and decrypt; fast speed and used for larger amnts of info,
    • - asymmetric encryption system: uses 2 keys (one public, one private); either can encrypt, but only the other key can decrypt; much slower; private key is kept secret and known only to owner of that pair of pub and private keys
  76. digital signature
    Hash encrypted with hash creator's private key; signature is legally binding; provides assurance about 2 issues - 1. copy of file/doc has not been altered, 2. who created original version of a digital doc/file
  77. digital certificate
    Electronic doc that certifies identity of owner of particular public key and contains that party's public key; they're like digital equivalents of license or passports; issued by org called certificate authority and contain the authority's digital signature to prove they're genuine
  78. virtual private networks (VPN)
    using encryption and authentication to securely transfer info over internet thereby creating "virtual private network"; private communication channels are only accessible to parties possessing appropriate encryption and decryption keys; include controls to authenticate parties exchanging info and to create audit trail of exchange; 2 type - one uses browser, encrypting the traffic with SSL and the other uses IPSec
  79. processing integrity
    ensures produced info is accurate, complete, timely, and valid

    • 3 controls
    • -input controls
    •      field check
    •      sign check
    •      range check
    •      limit check
    •      size check
    •      completeness check
    •      validity check
    •      reasonableness test
    •      check digit: ID numbers can contain one computed from the other digits
    •      check digit verification: recalculating check digit to verify data entry error hasn't been made
    •      batch processing data entry controls: sequence check (tests whether batch is in proper numerical/alphabetical sequence), batch totals (financial, hash, record count)
    •      online data entry controls: prompting, closed-loop verification, transaction log
    • -processing controls
    •       data matching
    •       file labels: header record (file name, expiration date, and other identification data), trailer record (at end; contains batch tots calculated during input)
    •       recalculation of batch tots: comparing batch tots to vals in trailer record; may discover transposition errors (2 adjacent digits reversed)
    •       cross-footing: compares 2 alt ways of calculating same total
    •       zero-bal test: verifies bal of control acct equals 0 after all entries to it have been made
    •       write-protection mechanisms: protect files from accidentally being damaged/erased
    •      concurrent update controls: lock out users to protect individual records from errors is multiple users attempted to update them simultaneously
    • -output controls
    •      user review of output
    •      reconciliation procedures
    •      external data reconciliation
    •      data transmission controls
    •           1. checksums: uses hash of file to verify accuracy
    •           2. parity bit: extra bit added to beginning to every character
  80. availability (part of Trust Services Framework)
    • minimize risk of system downtime
    •     -preventive maintenance: cleaning disk drives and properly storing magnetic and optical media to reduce risk of hardware and software failure
    •     -redundant components to provide fault tolerance: Redundant arrays of Indep Drives (RAID)- recording data on multiple disk drives instead of just 1
    •     -data center location and design: raised floors for flood protection, UPS to provide protection in event of prolonged power outage, adequate A/C
    •     -training
    •     -patch mgmt and antivirus software
    • quick and complete recovery and resumption of normal ops
    •     -backup: exact copy of database file or software program
    •          recovery pt obj: amnt of data org's willing to reenter or potentially lose
    •          recovery time obj: amnt of time org's willing to attempt to funct without its IS
    •        full backup: exact copy of ENTIRE database
    •        incremental backup: copying only data items that have changed since last PARTIAL backup; produces set of incremental files; restoration takes longer than w differential backup
    •       differential backup: copies changes made since last FULL backup; each new differential backup has cumulative changes and copies today's activities and all from previous days; daily backups take longer but restoration is simpler
    •     -disaster recovery plan: plan to restore org's IT capability in event data center's destroyed (cold site, hot site)
    •     -business continuity plan: specifies how to resume not only IT ops, but all business processes in event of major calamity
Card Set
AIS Midterm